See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/299451431

Investigating GSM Control Channels with RTL-SDR and GNU Radio

Conference Paper · March 2016

DOI: 10.1109/WiSPNET.2016.7566288

CITATIONS READS
5 6,691

3 authors, including:

Khyati P Vachhani
The MathWorks, Inc
14 PUBLICATIONS 96 CITATIONS

SEE PROFILE

All content following this page was uploaded by Khyati P Vachhani on 01 April 2019.

The user has requested enhancement of the downloaded file.

 This full-text paper was peer-reviewed and accepted to be presented at the IEEE WiSPNET 2016 conference.

Investigating GSM Control Channels with

RTL-SDR and GNU Radio
Deepak Vohra Arusha Dubey Khyati Vachhhani
Student, Electrical Dept. Student, Electrical Dept. Assistant Professor, Electrical Dept.
Nirma University, Nirma University, Nirma University,
Ahmedabad, India Ahmedabad, India Ahmedabad, India
dvohra.93@gmail.com arusha.dubey31@gmail.com khyati.vachhani@nirmauni.ac.in

Abstract—This paper focuses on the compliance of publicly becomes ineffectual in providing necessary requirements in
available specifications of Global System for Mobile communi- terms of privacy and security of the subscriber. This results
cation (GSM) with the extremely closed GSM industry with the in possible active or passive attacks on GSM networks.
help of RTL-SDR, GNU Radio and Wireshark. GNU Radio is a
free and open software which enables the translation of real- Despite the fact that highly resourceful GSM intercepting
world systems to programmable flow graphs. GSM, together hardwares are present, procurement and endmost approval
with other technologies, is part of the evolution of wireless of such hardware is in the hands of government agencies
mobile telecommunications. Hence, verification of GSM working only. Ultimately, this obstructs the analysis and testing of
is of crucial importance. During this paper, Control channel GSM infrastructure. With the enhancement of several open-
information like the bandwidth for specific network providers
was reckoned, along with the IMSI number and ARFCN channel source softwares viz GNU Radio, Airprobe, Wireshark and
in use by mobile device of the respective network. It was also Openbts along with reconfigurable-reprogrammable hardwares
noted that observed cell towers used both frequency hopping viz Software Defined Radio [4], it is now possible to analyze
and encryption. The channel information thus obtained provides the GSM network for more robust security and efficiency.
efficient techniques for the detection of spectrum holes providing This paper focuses on analysis of GSM downlink traffic on
high spectral resolution capability.
Index Terms—GSM,SDR,RTL-SDR,GNU Radio,Wireshark,
Um interface that is present between Base Transceiver Station
Common Control Channels (BTS) and Mobile Station (MS).
The paper is organized as follows: Section 2 describes
the theoretical background of GSM system architecture and
I. I NTRODUCTION
network Architecture with necessary block diagrams. Section
The mobile communication has undergone a tremendous 3 discusses the open-source software tools and hardware
growth and has influenced different spheres of human race. used to capture downlink packet data. Section 4 describes
In 2015, the number of mobile users has nearly reached analysis of GSM protocol stack by amalgamation of RTL-
to 6 billion users amongst which 4 billion users are using SDR, GNU Radio and Wireshark. In Section 5, the results
Global System for Mobile Communication (GSM) around captured by Wireshark and GNU Radio are analysed and
the globe. Global System for Mobile Communication [1], a verified with the designated test phone. The future scope on
second-generation cellular system is the first cellular system security enhancement and more research required on software
to identify digital modulation along with network level archi- front is discussed in section 6. Lastly, the paper ends with
tecture and its related services. GSM has observed spectacular conclusion.
refinement leading to various versions like GSM1800, HSCSD
II. T HEORETICAL BACKGROUND OF GSM
(High Speed Circuit Switched Data), EDGE (Enhanced Data
rates for GSM Evolution), and GPRS (General Packet Radio A. GSM System Architecture
Service) and continued to 3G systems like Universal Mobile The GSM network is divided into three major sub-systems,
Telecommunication Systems (UMTS). With the knowledge being the Base Station Subsystem (BSS), Network and
that GSM consists of several inherent security flaws, 3G Switching Subsystem (NSS) and the Operation Support Sub-
systems like UMTS [2] were able to address these security system (OSS) [5]. BSS is sometimes also referred to as the
flaws methodically. Nevertheless, the traditional GSM network GSM Access Network (AN) while NSS is conveniently called
which fails to resist several security flaws is still followed by the GSM Core Network (CN). The Mobile Station (MS) is
many developing countries around the globe. Soon after its im- a device of utility to the subscriber which is considered to
plementation, GSM was found unprotected to eavesdropping be a part of the BSS and is used to access the services
attacks [3]. Since there is no authentication required between provided by the mobile network. The BSS, responsible for
Base Transceiver Station (BTS) and Mobile Station (MS) management of radio interface between mobile stations and all
and network operators are not impelled on using encryption other subsystems, consists of several Base Transceiver Stations
in public land mobile network (PLMN), the entire system (BTS) controlled by Base Station Controller (BSC). Another

978-1-4673-9338-6/16/$31.00 2016
c IEEE 1008
 This full-text paper was peer-reviewed and accepted to be presented at the IEEE WiSPNET 2016 conference.

important part of the BSS is transcoder/rate adaption unit

(TRAU) which performs speech encoding and decoding and
rate adaptation during data transmission. The NSS performs
key functions of the network such as call control, mobility
management, routing and switching apart from subscription
information and service provision based on this information.
It also manages communication with other networks such as
Integrated Services for Digital Network (ISDN) and Public
Switched Telephone Network (PSTN). Within the GSM NSS,
the permanent master database is stored in the Home Location
Register (HLR) and the temporary database of the subscribers
currently visiting the mobile network in the Visitor Location
Register (VLR).

Fig. 2: GSM System Architecture [6]

The combined area of all the countries using GSM services

constitutes the GSM service area [6]. A country is further
divided into several PLMN service areas depending upon its
size. A PLMN has several MSC/VLR service areas. A gateway
MSC routes all the incoming calls in a PLMN network and
Fig. 1: GSM System Architecture [5] makes inter-connections for calls between PLMNs. They route
the incoming calls to the desired MSC within the MSC area
The subscriber authentication unit is labelled as the Au- wherein a subscribed is located. The VLR uniquely identifies
thentication Centre (AuC) while the handset verification is the MS and is associated with the MSC. A single MSC service
assigned to the Equipment Identity Register (EIR). The Mobile area has many LA. The GSM system uses LA to identify an
service switching centre (MSC) controls several BSCs and active subscriber. While roaming in a LA, the MS need not
coordinates call set-up to and from GSM users. The three update its location to the MSC/VLR. The LA can be identified
major areas of OSS are namely the network operation and by the system using the Location Area Identity (LAI). Finally,
maintenance functions, subscription management i.e. charging a LA is partitioned into several cells. A cell is an identity
and billing, and mobile equipment management. These tasks served by one BTS. The Base Station identification Code
are carried out under the main unit of OSS - the Operational (BSIC) differentiates one cell from another.
and Maintenance Centre (OMC). Mobile Equipment (ME) and III. H ARDWARE -S OFTWARE S UITE
Subscriber Identity Module (SIM) are the components of MS. A. Sotware Defined Radio
SIM are a smart cards containing multiple application software
Software Defined Radio (SDR) is defined as a radio com-
modules for secure identification of the subscriber. It stores the
munication system wherein some or all physical layers can
permanent identity of the user called the International Mobile
be defined as software modules. The Radio Frequency (RF)
Subscriber Identity (IMSI) and shared secret key. It can be
signal generated or captured by the SDR is programmed
easily inserted in the ME. The radio interface between MSC
by softwares, greatly reducing hardware complexity [7]. For
and BSC is called A Interface. The interface between BSC
and BTS is the A-bis interface whereas the interface between
MS and BTS is called Um interface.

B. GSM Network Architecture

It is crucial in a mobile network to have an efficiently
designed structure for routing the calls correctly. It is therefore
a challenging task due to the mobility of the subscribers. A
GSM network is partitioned into the following areas:
• GSM service area;
• PLMN service area;
• MSC service area; Fig. 3: Block Diagram of Software Defined Radio[7]
• Location area (LA);
• Cells. executing communication experiments on SDR, hardware like

1009
 This full-text paper was peer-reviewed and accepted to be presented at the IEEE WiSPNET 2016 conference.

Universal Software Radio Peripheral (USRP) [8] or Realtek- frequencies spaced at 200 KHz. These carrier frequencies
Software Defined Radio (RTL-SDR) can be used. USRP is are termed as Absolute Radio Frequency Channel Number
a transceiver developed by Ettus Research and National In- (ARFCN). Similarly, for GSM-1800, known as E-GSM, with
struments. It turns a host computer into a wireless prototyping a frequency spectrum of 75 MHz bandwidth, 374 ARFCNs
system. While USRP however is costly, RTL-SDR is a low cost are obtained when regularly spaced at 200 KHz.
alternative. RTL-SDR is a cost effective software defined radio Due to lack of inexpensive hardware and complex signaling
that uses a DVB-T TV tuner dongle based on the RTL2832U present, remarkable attempts were not carried out for acquisi-
chipset. It is also often referred to as RTL2832U, DVB-T SDR, tion and decoding of downlink GSM traffic. Nonetheless, the
RTL dongle or the $20 Software Defined Radio. recent existence of open-source tools viz SDR, GNU Radio,
Airprobe and Wireshark has changed the outlook remarkably.
B. GNU Radio
Several versatile and inexpensive SDRs have become promi-
GNU Radio is an open source software tool kit that enables nent in investigating the Radio Frequency (RF) spectrum.
building of a Software Defined Radio. The prime advantage Some of these are RTL-SDR, USRP, FUNcube Dongle etc.
obtained by GNU Radio is by creating different radio devices Instead of USRP, RTL-SDR is used to further investigate the
on a single USRP board. Different functionalities like mod- GSM downlink traffic.
ulation, demodulation, filtering, encoding, decoding, source
coding, channel coding etc. are provided as software codes
[9]. The advantage of implementing functionalities as software
modules is that it provides a high degree and ease of re-
configurability property to SDR. One of the helpful attributes
accepted by GNU Radio is the spectrum analyzing tool which
can be useful in detecting the carrier frequency of a BTS.
Also in conjunction with Airprobe tool, collective broadcast
messages from the BTS can be acquired.
C. Wireshark
Wireshark, previously known as Ethereal, is a packet anal-
yser. It is an efficient way to learn exactly how the network
protocols work. It observes the messages exchanged between
executing protocol entities and displays the content of various
protocol fields in these captured messages.

Fig. 5: P-GSM spectrum Caputred with GNU Radio &

Airprobe

At software front, GNU Radio and Airprobe in synchrony

with open-source protocol analyser Wireshark were used to
capture and analyse the GSM downlink traffic as shown in
Fig. 5. The analysis can be explicitly done using Wireshark
Fig. 4: Wireshark-A protocol Analyzer wherein packet data in form of octet bits of various GSM
logical channels can be obtained. Then after, RTL-SDR instead
A packet sniffer itself is passive. It observes messages being of USRP can be used for capturing the raw GSM frames from
sent and received by applications and protocols running on Um interface. The GSM frames are captured using RTL-SDR
your computer, but never sends packets itself [10]. Similarly, in conjunction with GNU Radio and the corresponding data
received packets are never explicitly addressed to the packet is stored in a file named as .cfile.
sniffer. Instead, a packet sniffer receives a copy of packets that Using the following equations and ARFCN channel number
are sent or received from and by application and protocols (n) as obtained in Wireshark, the corresponding downlink
executing on your machine. Network professionals also use frequencies are obtained [11]. During analysis part, ARFCN
Wireshark to troubleshoot networking problems. from 26 to 37 were captured on Wireshark terminal. These are
indicated in Table I.
IV. ANALYSIS OF DOWNLINK GSM TRAFFIC For P-GSM (900) band:
GSM-900, also called as P-GSM, has a frequency spectrum
of 25 MHz bandwidth which is further divided into 124 carrier Fdownlink (n) = [45 + (890 + 0.2n)]MHz (1)

1010
 This full-text paper was peer-reviewed and accepted to be presented at the IEEE WiSPNET 2016 conference.

Where n lies from 1 to 124.

The Discrete Fourier transform of active channels present
in a given area is displayed on GNU Radio. In Wireshark, an
interim buffer is created that can hold the known burst. The
burst is then forwarded to the socket identified in Wireshark
TABLE I: Scanning GSM 900 Band
Fig. 6: System Information Type 2
Absolute Radio Frequency Channel Frequency
Channel Number(ARFCN)
26 940.2 MHz
27 940.4 MHz
28 940.6 MHz
29 940.8 MHz
30 941.0 MHz
31 941.2 MHz
32 941.4 MHz
33 941.6 MHz
34 941.8 MHz
35 942.0 MHz
36 942.2 MHz Fig. 7: System Information Type 3
37 942.4 MHz

as 127.0.0.1:4729 on loopback(lo) which entitles the port System Information Type 3 message as shown in Fig. 7 give
GSMTAP [12]. Despite the fact that packets are discarded location area identification. The globally unique cell global
after being received by the destination, it can still be cap- identity (CGI) is formed by using a concatenation of the cell
tured using Wireshark on port 4729 with loopback(lo) by the identity (CI) and location area identity (LAI). The LAI is
help of capture filter provided the downlink is still running. broadcasted over the BCCH in different SIs. Along with the
Consequently, Wireshark provides a complete software front CI, LAI is also broadcast over SI 3. The LAI comprises of
end user interface to the GSM protocol analyzer due to its Mobile Country Code (MCC), Mobile Network Code (MNC)
capability in dissecting GSM frames. and Location Area Code (LAC).
V. R ESULTS
With the discussion done above, P-GSM traffic was captured
and analysed to verify the elaborated GSM protocol analyser
with real world framework. The packets received at Wireshark
terminal were only intended to get broadcast messages and sig-
nalling information. Hence, no infringement was established
on GSM subscribers security and privacy.
The contents of the Broadcast Control Channel (BCCH)
channel are generated at the BSC and are transmitted over the
air as Radio Resource (RR) messages. A number of system
information messages are defined to carry a plethora of system
information parameters necessary for the MS, which includes Fig. 8: Immediate Assignment with no hopping channel
system Information (SI) 1, 2, 3, 4 and 13. Apart from these,
some other SIs (5 and 6) are transmitted on Slow Associated The Mobile Country Code (MCC) is of 3 digits followed
Control Channel (SACCH) to those MS which have active RR by the Mobile Network Code (MNC) of 2-3 digits and lastly
connection. the Location Area Code (LAC) represented by 2 octets, i.e. 0-
The contents of the SI are so distributed that the crucial 65535 for different LACs . Cell Identity (CI) of two octets
information occur quite frequently. One particular example is (16 bits) identifies a cell within a location area. The CI
of Random Access Channel (RACH) control parameter that 6284 captured by Wireshark is identical with the CI of the
comes in almost every SI resulting in a frequency of 4 times designated test phone device used.
every second. The MS can initiate the establishment of the Radio Resource
System Information Type 2 message as shown in Fig. 6 give (RR) connection by sending a channel request message over
the neighbouring cell channel description. The neighbouring RACH. The BSC, in turn, assigns resources for the RR
cell description gives list of ARFCN which are meant for connection by sending an immediate assignment command
monitoring the BCCH of the neighbouring cells. Bitmap 0 to the MS over Access Grant Channel (AGCH). Immediate
indicates GSM 900 band being used, while variable bitmap assignment message as shown in Fig. 8 give packet channel
shows GSM 1800 or 1900 being used. BA-IND is a BCCH description of the obtained ARFCN. It consists of hopping
allocation sequence number indication. It switches from 1 to channel data, time slot number and training sequence.
0 or vice -versa whenever the ARFCN of the user changes. The channel description facilitates frequency hopping by

1011
 This full-text paper was peer-reviewed and accepted to be presented at the IEEE WiSPNET 2016 conference.

VII. CONCLUSION
RTL-SDR is a cost-effective hardware, with compatible flow
graphs for USRP. This is of extreme importance since GSM
Technology is constantly going forward from year to year.
The publicly available specifications of GSM are verified to
comply with the extremely closed GSM industry. With some
affordable tools like GNU Radio and Wireshark available,
practical research of the GSM industry has become viable.
Fig. 9: Immediate Assignment with hopping channel
This gives subscribers the ability to verify the workings of
GSM, e.g. to check whether, and what kind of, encryption is
providing a list of freqeuncies that are used to decode the being used to protect their conversations. The key feature of
mobile allocation. The mobile allocation provides a list of RF GSM is on-the-air-privacy. During this project, it was verified
channels belonging to the cell location (coded with binary that observed cell towers used both frequency hopping and
’1’ in the channel description as shown in Fig. 9), which is encryption. Airprobe limits itself to the downlink side of the
used in the mobile hopping sequence. All dedicated channel air interface - cell tower to mobile phone. The bandwidth for
types and their associated channel types can hop. However, specific network providers was reckoned during the project,
frequency hopping of BCCH channel is not permitted. When along with the IMSI number, ARFCN channel in use and the
hopping channel is present, the immediate assignment message Location Area Identification (LAI) of the mobile device of the
gives the information regarding hopping parameters such as respective network. The captured cell ID too was verified from
the Mobile Allocation Index Offset (MAIO) and the Hopping the designated test phone device.
Sequence Number (HSN) as shown in Fig. 9. The HSN R EFERENCES
45 obtained in Wireshark is identical with the HSN of the
[1] A. Mehrotra and L. S. Golding, “Mobility and security management in
designated test phone device. the gsm system and some proposed future improvements,” Proceedings
of the IEEE, vol. 86, no. 7, pp. 1480–1497, 1998.
[2] F. Hillebrand, GSM and UMTS: the creation of global mobile commu-
nication. John Wiley & Sons, Inc., 2002.
[3] S. M. Siddique and M. Amir, “Gsm security issues and challenges,”
2006.
[4] K. Vachhani and R. A. Mallari, “Experimental study on wide band fm
receiver using gnuradio and rtl-sdr,” in Advances in Computing, Com-
munications and Informatics (ICACCI), 2015 International Conference
on. IEEE, 2015, pp. 1810–1814.
[5] G. Gu and G. Peng, “The survey of gsm wireless communication
Fig. 10: Paging Request Type 1 system,” in Computer and Information Application (ICCIA), 2010 In-
ternational Conference on. IEEE, 2010, pp. 121–124.
[6] A. Mehrotra, GSM system engineering. Artech House, Inc., 1997.
The Paging Channel (PCH) and Access Grant Channel [7] K. Vachhani, “Multiresolution analysis: An unified approach using
(AGCH) are collectively known as downlink Common Control discrete wavelet transform on gnu radio,” in Green Computing and
Internet of Things (ICGCIoT), 2015 International Conference on. IEEE,
Channels (CCCH). The PCH is used for paging wherein the 2015, pp. 887–892.
MS is informed about an incoming call or sms. The MSC/VLR [8] M. Ettus, “Usrp user?s and developer?s guide,” Ettus Research LLC,
sends a paging message to one or more BSC and the BSCs, 2005.
[9] M. Sruthi, M. Abirami, A. Manikkoth, R. Gandhiraj, and K. Soman,
in turn, send the RR paging command to the MS. The paging “Low cost digital transceiver design for software defined radio us-
messages can be grouped depending upon the number of MS ing rtl-sdr,” in Automation, Computing, Communication, Control and
that are paged and whether TMSI/IMSI are used for paging. Compressed Sensing (iMac4s), 2013 International Multi-Conference on.
IEEE, 2013, pp. 852–855.
For this purpose, three types of paging messages are defined [10] U. Lamping, R. Sharpe, and E. Warnicke, Wireshark User?s
in the Radio Resource (RR) management, i.e paging type 1, Guide For Wireshark 2.1, 1st ed., 2016. [Online]. Available:
paging type 2 and paging type 3. Paging request types 1, 2 and https://www.wireshark.org/download/docs/user-guide-a4.pdf
[11] M. Hadzialic, M. Skrbic, K. Huseinovic, I. Kocan, J. Musovic, A. Hebi-
3 on wireshark contains MS identity which can be a temporary bovic, and L. Kasumagic, “An approach to analyze security of gsm
identity called Temporary Mobile Subscriber Identity (TMSI) network,” in Telecommunications Forum Telfor (TELFOR), 2014 22nd.
or a permanent identity (IMSI) as shown in Fig. 10. IEEE, 2014, pp. 99–102.
[12] S. Aragon, F. Kuhlmann, and T. Villa, “Sdr-based network impersonation
VI. FUTURE SCOPE attack in gsm-compatible networks,” in Vehicular Technology Confer-
ence (VTC Spring), 2015 IEEE 81st. IEEE, 2015, pp. 1–5.
Despite the fact that Airprobe can handle full-rate traffic
channel decoding, there is still a lot of research improvement
required in handling half-rate channels. The other area which
needs attention is the enhancement of security in hopping
channels by upgrading the current encryption algorithms. This
can be established by thorough analysis and recommendations
on currently available GSM data and its security.

1012

View publication stats